Safe Harbor Update: European Commission’s Guidance, Plans for Safe Harbor 2.0
Within the next three months the European Commission (EC) hopes to conclude negotiations forming a new safe harbor framework with the U.S. We’ve previously written about events surrounding the invalidation of the previous Safe Harbor here, here and here. The EC hopes to strengthen the framework’s limitations and safeguards to protect EU citizen’s fundamental right to the protection of personal data. The EC acknowledged that a framework is the simplest and least burdensome solution for transferring personal data across the Atlantic, which is especially important for smaller companies. Yet Safe Harbor 2.0 may be more complicated and burdensome for companies, potentially requiring transparency reports that disclose the total number of U.S. government requests for customer data according to an interview with the EU Justice Commissioner. Some critics are questioning the proposed strict requirements that seek to address U.S. government surveillance given that, arguably, certain European countries’ mass surveillance laws do not provide adequate protection.
In the interim, the Commission issued guidance about which alternative transfer methods are available following the ECJ’s invalidation of the Safe Harbor program.
The EC endorsed model Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and multiple derogations as acceptable transfer mechanisms pending (and following) adoption of a new safe harbor framework. Importantly, although the DPAs have power to make sure that SCCs and BCRs are sufficient under Schrems, the EC emphasized that member states must accept these mechanisms unless there is an additional basis for the country to refuse transferring the data to a third country. This is encouraging for companies after the German DPA announced that it would not accept SCCs or BCRs as a legal basis for transferring data.
The EC highlighted two important principles that apply regardless of which alternative transfer method is used. First, the company must collect and process the data in accordance with national laws. Second, data importers and exporters must ensure that their transfers comply with all EU standards and safeguards. In addition, the guidance highlighted several key points specific to each type of transfer mechanism.
Standard Contractual Clauses
While noting the binding nature of SCCs on member states, the EC recognized that using an SCC may not be sufficient on its own. Data exporters may need to take additional measures to ensure appropriate safeguards are in place to protect the data. The DPAs maintain supervision over importers and exporters, and if required by the member state, companies must continue to comply with notification or pre-authorization obligations.
Binding Corporate Rules
The EC reiterated that BCRs are intended for transfers between affiliated entities. Each member state in which the BCR envisions an intragroup transfer of personal data must approve and authorize the BCR.
Derogations, or limited exceptions, are strictly interpreted and not intended for repetitive or mass transfers. The EC listed six derogations, including when the transfer is necessary for the performance of a contract, on public interest grounds, to protect the vital interests of the data subject, and as a last resort, when the data subject unambiguously gives his or her consent to the transfer. However, such derogations will have limited application and most companies will need to adopt SCCs or BCRs to legally transfer data to and from the U.S. as part of their normal business operations.